The security process

That organizational security should mean protection from harm may seem like a trivial statement. However, stating this simple goal gives us a starting point for initiating a security process inside an organization. Ultimately, this process will result in the organization introducing a number of security measures that serve the purpose of providing the necessary protection from harm. Access control, the main body our work, belong in this category. It is important to realize there is a long way to go before arriving at specific security measures. For instance, in order to protect from harm, we must first establish what constitutes harm with respect to the organization in question. In the security process, an assessment of risks, threats, and consequences, is used to establish security policies. Once established, the security policies govern which security measures should be taken. Carrying the security process this far will hopefully protect the organization from harm. However, the state of being secure is not static. External factors that are the basis for the assessment of risks and threats may change over time. Structural change within an organization, due to the security process and other factors, can change the initial conditions under which security assessments were made. To be effective the security process must be continuously reviewed. When countermeasures have been deployed they must be evaluated together with current policies. The results from this evaluation are important input when the process starts a new iteration.

Figure 2.1 shows the four main stages in the security process. The first phase in the process is an assessment of which assets there are, what vulnerabilities they have, and what threats there are to the assets. This analysis results in a number of risks being identified. Once a set of risks has been identified, work to minimize the risks can begin.

  
Figure 2.1: The security process.

In the second phase, decisions have to be made as to what countermeasures are necessary and justifiable. Here, factors such as cost, complexity and awkwardness of countermeasures must be weighed against organizational requirements and impact of potential damages. Some risks might be considered acceptable while others are deemed grave enough to warrant extensive countermeasures to be installed. We term this phase of strategic decisions establishment of policies. There exist a number of methods for carrying out phases one and two, see for instance [Mos92].

Only when overall considerations, economic, temporal, technical and other have been fully carried out will it be known what countermeasures should be implemented.

The final phase in the security process is the evaluation of current policies and deployed countermeasures. The evaluation should answer questions such as ``Do current policies have the desired effect?'', ``Do our countermeasures implement our policies?'', and ``How do our policies and countermeasures influence our initial assessments?''. The answers found in the evaluation phase are important input to the assessment phase of the next process iteration.

Of the phases in the security process, countermeasures and the deployment of countermeasures are probably the areas most studied and best understood. For instance, in [Mos92], Moses has classified countermeasures into seven categories:

Avoidance.

The causes of the risk are removed. For instance, dial in access to a network incurs a risk of unauthorized access from unknown sources. This risk can be avoided by not having any modems.

Transfer.

The items at risk are moved to a secure place. An example is putting a computer storing sensitive information in a locked room.

Reduction of threat.

Many events cannot be totally prevented, but often the probability of them occurring can be reduced. This can include fire precautions, staff training, safety regulations, surveillance, etc.

Reduction of vulnerability.

To reduce vulnerability is to lessen the risk of undesirable effects, given that some event has occurred. For example, in the event of an unauthorized person gaining access to a computer terminal, strong authentication procedures would reduce the vulnerability of the system as it would make it less likely that an intruder could cause damage to the system.

Reduction of impact.

Even though precautions have been taken, events with undesirable effects can still occur. It is then important to reduce the impact of these effects. This can involve measures such as having an up to date backup when a hard disk crashes and having a spare disk handy to minimize down-time.

Detection.

The sooner something unwanted happening in a system is detected, the better are the chances of successfully countering and reducing the effects. For instance, network traffic monitoring can often make it possible to fix problems before the situation deteriorates enough for the effects to be more generally noticeable.

Recovery.

Should something disastrous come to pass, it is vital to be able to recover quickly. By planning ahead, an organization might be able to recover, for instance after a devastating fire, where an organization without contingency planning would not.

As can be seen, some security countermeasures are technical in nature, while others are not. Sometimes there is a tendency to overly trust technology to provide security, but as the examples show, technology can never provide comprehensive security. Upon closer examination it turns out that many wise precautions are purely administrative in nature, but must nevertheless be considered important security measures.

Achieving security is a perpetual process. The process starts by identifying threats and restarts when countermeasures have been established. A countermeasure should ideally eliminate a threat completely. However, this is often prohibitively expensive or simply not possible. It might be necessary to settle for reducing the threat, or for just reducing the severeness of potential consequences. Where there is a choice of countermeasures, a balance has to be struck between the cost of the countermeasure, the probability for the harmful event to occur, and the consequences of the event. For instance, very expensive countermeasures are often only deemed necessary when consequences are very serious. The striking of this balance is achieved when formulating the organizational security policies. This is an intricate activity as available resources next to always set a limit on what can be done.